Your contact list is important for what you like and enjoy on WhatsApp. With your contacts, you know which of your friends and family are on WhatsApp, you can send messages or call them, and it helps you understand who is in your groups. But losing your phone can also mean losing your contact list. Traditionally, WhatsApp does not have the ability to keep a contact list in a way that is easy and automatically restored in the event you lose it. Additionally, the only place you could add contacts was from your mobile device, by entering a phone number or scanning a QR code.
As part of WhatsApp’s new features to add and privately manage your WhatsApp contacts across connected devices, we’re announcing an encrypted storage system we’ve developed called Identity Proof Linked Storage (IPLS). IPLS allows you to save your contacts and restore them directly through WhatsApp. With IPLS in place, you can create contacts directly within WhatsApp and choose to connect them to your phone or keep them securely in WhatsApp only – allowing you to create contacts that have your own account. If you use connected devices, this also allows you to add and manage your contacts seamlessly regardless of the device you have.
Additionally, if you have multiple accounts on the same phone, such as a work and personal account, you can edit your contact list for each account. If you lose your phone, your contact list can be restored on a new registered device.
Contact names are kept private within WhatsApp, and we have created this with additional, strong security using IPLS to prevent communication with anyone except the user.
IPLS incorporates new privacy technology that protects your contact list in a privacy-friendly way. To ensure the safety and security of this system, we have done partnered with Cloudflare to give independent third party auditing its cryptographic form. The new technology was evaluated by external researchers and NCC Group Cryptography Services, an independent cybersecurity provider.
What is Identity Proof Linked Storage?
IPLS is a WhatsApp app that allows users to keep their names private. IPLS allows the client device to store information using a strong encryption key generated on the client device. Its acquisition depends on the customer verifying his original device.
IPLS is based on two devices that were previously used on WhatsApp: important exposure and our Hardware Security Module (HSM).
Certain events related to your phone’s WhatsApp application (such as installing or re-installing) cause the creation of new secret keys that correspond to your phone number. WhatsApp’s highly transparent system publishes a record of changes to the device’s key information in an append-only, cryptographic manner. Important Information (AKD) which allows WhatsApp clients to automatically verify a user’s private key.
Greater transparency allows WhatsApp, as well as the public, to privately verify whether a phone number used for a WhatsApp account is linked to a known key.
HSMs are used by WhatsApp backup end-to-end and allow the establishment of a private, non-disruptive view of the use within the WhatsApp data environment in a way that preserves privacy. Data changes within HSM security boundaries remain opaque even to WhatsApp insiders with the highest privileges and access to devices.
Pictures of IPLS
Integration of AKD and Cloudflare
As mentioned, the first block of IPLS is the WhatsApp AKD, which maps the customer’s phone number to the customer’s key. The identity of the original device is used to authenticate the client to ensure that only the owner of the communication key is authorized to restore the contacts.
Promoting one type of AKD, WhatsApp has created Cloudflare to be an additional witness of additions to AKD. Cloudflare digitally signs each instance, with an associated hash, and returns a digital signature confirming that the directory has not been tampered with. Key Vault from HSM verifies Cloudflare’s signature using Cloudflare’s public key.
WhatsApp relies on the availability of Cloudflare’s signature service and cannot proceed with AKD updates without a digital signature for each update.
In addition, WhatsApp provides clear evidence of long-term changes. Credentials are published to a single, read-only Amazon S3 database, which has a public interface so that any organization can retrieve the credentials.
Using AKD and partnering with Cloudflare ensures that there is only one copy of the directory that is verified by a third party.
HSM key storage
To ensure the privacy of registered users on WhatsApp, contact names are first encrypted using a private key generated by the user’s device, and then stored in the Key Vault from the HSM. The storage and retrieval of the encryption key is achieved through an end-to-end encryption mechanism between the client and the Key Vault from the HSM, ensuring that the transaction remains anonymous to WhatsApp.
Storing the connection key in an HSM-based Key Vault ensures its availability even if the user loses the phone. If a user loses their client device and wants to restore their contacts, a new client device can retrieve the communication key by setting up a secure session with the Key Vault based HSM. Key Vault verifies the client’s password by accessing the AKD through a secure password and ensures that the client has a matching private key.
Once the client is authenticated, the new client is allowed to access the communication key in the HSM-based Key Vault using a secure mechanism established by the client’s key and the HSM’s key.
To keep the private information stored in the WhatsApp group
IPLS is a new system that prevents unauthorized access to data by effectively integrating any data access into publicly visible updates that are published to WhatsApp’s main resources. This method is similar to how QR code scanning technology can be used to detect privacy violations in public end-to-end encrypted messages system.
WhatsApp’s new contacts feature will give users more ways to easily manage contacts across devices and accounts and keep them intact if they change phones or reinstall WhatsApp. We are happy with how IPLS has helped make this possible and will help ensure that WhatsApp messages are private and can be easily navigated by users when they get a new phone.
#IPLS #Privacy #WhatsApp #contacts